Daniel Lunghi

@[email protected]
263 Followers
109 Following
18 Posts
Threat researcher @Trend Micro focusing on #apt
Twitterhttps://twitter.com/thehellu
Daniel LunghiDec 11
We investigated an #APT with links to Void Rabisu (Romcom) that used Trend Micro updates as a lure in a recent campaign involving vulnerability exploitation. There were at least 4 stages before the final payload, some of them being tailored to the targeted machine https://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html
Daniel LunghiOct 22
We saw Earth Estries, an advanced CN #APT intrusion set, sharing its access to Earth Naga (Flax Typhoon). We introduce the term "Premier Pass" to describe this behavior, and propose a four-tier classification framework for collaboration types among advanced groups https://www.trendmicro.com/en_us/research/25/j/premier-pass-as-a-service.html
Daniel LunghiFeb 20, 2025
For incident responders investigating Shadowpad cases, remember to retrieve the volume serial number where #Shadowpad was deployed. The first time the malware is run, it will delete the encoded payload file (<random name>.tmp), and encrypt it in the Windows registry using the volume serial number. Those can also be found in LNK and Prefetch files in case you don't have live access to the host anymore.
You can then use the VolumeID tool from Sysinternals to change the volume serial number of your virtual machine
https://learn.microsoft.com/en-us/sysinternals/downloads/volumeid
VolumeID - Sysinternals

Set Volume ID of FAT or NTFS drives.

Daniel LunghiFeb 20, 2025
We released a report on an updated version of #Shadowpad including anti-debugging features and new configuration structure, that in some cases deploy a custom ransomware family. We have mainly seen the manufacturing industry being targeted in Europe and Asia https://www.trendmicro.com/fr_fr/research/25/b/updated-shadowpad-malware-leads-to-ransomware-deployment.html
#APT
Orange Cyberdefense saw the same threat and named the ransomware "NailaoLocker" https://www.orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors They share interesting thoughts on the motivations of the ransomware deployment, although they don't have the final answer. We also saw no financial gain for the threat actor
Updated Shadowpad Malware Leads to Ransomware Deployment

In this blog entry, we discuss how Shadowpad is being used to deploy a new undetected ransomware family. Attackers deploy the malware by exploiting weak passwords and bypassing multi-factor authentication.

Trend Micro
Daniel LunghiMar 18, 2024
Our latest report on a CN #APT targeting tens of governments entities worldwide has been published 🥳 After monitoring it for a long time we realized it is likely related to the recent I-Soon company leaks. It discusses their TTPs and provides lots of IOCs https://trendmicro.com/en_us/research/24/c/earth-krahang.html
Targets are spread among 5 continents, although some countries are targeted more heavily: one country had 11 of its government entities compromised. Previous victims are used to compromise new ones by abusing their infrastructure to send spear-phishing emails or host malware.
Their favorite malware toolkit are Reshell, a basic .NET backdoor, and Xdealer, also named Dinodas RAT, two custom malwares. They also use the infamous #CobaltStrike, #PlugX and #Shadowpad. Many of their offensive and post-exploitation tools are retrieved from public sources.
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks

Since early 2022, we have been monitoring an APT campaign that targets several government entities worldwide, with a strong focus in Southeast Asia, but also seen targeting Europe, America, and Africa.

Trend Micro
Daniel LunghiNov 9, 2023
Virus Bulletin released my talk on a #Shadowpad sample delivered by a Pakistan governmental application named eOffice. It contains an analysis of the modified MSI installer, some tricks to pivot on old and new Shadowpad samples, an overview of the #APT campaign, and attribution discussion https://www.youtube.com/watch?v=i52MH-YFEeo
The slides https://virusbulletin.com/uploads/pdf/conference/vb2023/slides/Slides-Possible-supply-chain-attack-targeting-South-Asian-government-delivers-Shadowpad.pdf and paper https://virusbulletin.com/uploads/pdf/conference/vb2023/papers/Possible-supply-chain-attack-targeting-South-Asian-government-delivers-Shadowpad.pdf are also available. In addition to what we published in July in our blog, the paper details our failed attempts to attribute this attack based on custom malware families and their links to other advanced threat actors #threatintel
Possible supply chain attack targeting South Asian government delivers Shadowpad - Daniel Lunghi

YouTube
Daniel LunghiJul 21, 2023
We found a possible supply chain attack on eOffice application developed by Pakistan government. It delivers #Shadowpad with an updated obfuscation and encryption scheme. The threat actor carefully chose the C&C to blend in legitimate network traffic https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html
It is possible that the MSI installer could have been modified and then redistributed. However, as it was not publicly available at the time of the incident (September 2022), that would imply that the threat actor retrieved it from a PK gov entity before weaponizing it. #APT
Supply Chain Attack Targeting Pakistani Government Delivers Shadowpad

We recently found that an MSI installer built by the National Information Technology Board (NITB), a Pakistani government entity, delivered a Shadowpad sample, suggesting a possible supply-chain attack.

Trend Micro
Daniel LunghiMay 2, 2023
The slides https://botconf.eu/wp-content/uploads/2023/04/2023_5856_LUNGHI.pdf and video https://youtube.com/watch?v=713CsmcNE3o of my #Botconf talk about #IronTiger TTPs are online. I discuss recent infection vectors (including a supply chain attack), the evolution of their malware toolkit and targeting, and explain how we attributed these campaigns to #IronTiger #APT27 #APT threat actor
Daniel LunghiMar 1, 2023
My latest #APT research on #IronTiger (#APT27/#EmissaryPanda/#LuckyMouse) is out ! It includes analysis of a new version of SysUpdate ported to Linux, a new communication protocol through DNS TXT requests, a VMProtect certificate compromise, and probable infection vector https://trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting

We detail the update that advanced persistent threat (APT) group Iron Tiger made on the custom malware family SysUpdate. In this version, we also found components that enable the malware to compromise Linux systems.

Trend Micro
Daniel LunghiNov 10, 2022

If you are like me and used Twitter to monitor specific keywords with Tweetdeck, just to find out there is no such thing as general keyword search in here, don't /ragequit yet.
AFAIK, you cannot search for a keyword on random users unless you favorited/boosted or have been mentioned in them. Which means you already read them and know about their existence in the first place, which is good for bookmarking, but useless for discovering relevant toots from random users.
However, there is a nice feature in the web advanced view (which you can enable in the "Appearance" preferences):
You get a 3 columns' view, one for notifications, one for your regular timeline, and the last one with the content of your choice: either federated timeline, local timeline, your DMs, etc ...
That's a nice first step, but there is still a lot of space wasted if you have a big screen and resolution.
Here comes the trick I just learned: if you search for a hashtag (let's say, #apt), you get some hashtags results. By clicking on the one you're interested in, it becomes the content of the 3rd column we mentioned before.
Then, if you click on the top-right icon, a "Pin" feature appears. A final click, and tadaaaa, now you have a 4th and permanent column with a hashtag you are interested in !
You can reproduce the same for any hashtag you want and finally have a reason to buy one of those giant screens :)

It does not match the Twitter keyword feature, but it's still nice. It also means that, as a toot writer, it is important to use relevant hashtags.